Many Google Chrome users wonder why they can’t use a master password for the Google browser. Experts have revealed that a Google master password provides a false sense of security for users. What does this mean? (Read below.) While it’s convenient to have Google Chrome remember your passwords it could put you at a huge risk.
Web designer Elliott Kember discovered a security flaw while he was transferring bookmarks from the Apple Safari Brower to Chrome. He discovered that importing bookmarks into Chrome automatically brings over your saved passwords! He also realized that he wasn’t able to disable the password import. Elliott uses a Mac, and this was the problem.
Google confirmed the automatic syncing of passwords from Apple’s Safari browsers and explained that there’s a bug in the Mac version of Chrome that will be fixed soon:
“Thanks to our users who discovered a bug in Chrome’s import interface, which improperly represents how passwords are handled upon import from other browsers,” Google said in a statement provided to ABC News.
Google has developed a fix to better handle passwords across platforms, which is expected to roll out worldwide soon. While this is great news, Kember says there’s another problem that this fix won’t solve. If you’re importing those passwords to Chrome, and any other passwords that are saved in the browser, they’re unprotected!
It’s simple: type chrome://settings/passwords in the address bar, and all of your saved passwords and usernames will be revealed. A blog post by Kember goes on to say, “There’s no master password, no security, not even a prompt that these passwords are visible.”
Essentially, there’s no restriction to access the password screen. As long as you have access to a desktop with Chrome installed, you can get to the passwords. The strongest security measure in place is that there’s no way to export the passwords in bulk into a plain text file.
Google’s Head of Chrome Security, Justin Schuh, responded with an explanation for Google’s choice to not include master password:
“We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security and encourage risky behavior,” Schuh wrote. “We want to be very clear that when you grant someone access to your OS user account that they can get at everything. Because, in effect, that’s really what they get.”
“[Your] professionalism in dealing with this situation at the Zero hour is definitely a rarity. Your team’s response was to take on a project that you had no prior knowledge of other than a customer was in a tight spot and needed assistance.”